Reset Search
 

 

Article

EOS: Basic Switch Layer 2 Configuration Best Practices and minimum feature recommendations

« Go Back

Information

 
TitleEOS: Basic Switch Layer 2 Configuration Best Practices and minimum feature recommendations
Objective
To provide an idea of the best practices and minimum feature recommendations for initial basic configuration of EOS Layer 2 switches configurations. These are practices that are regularly used as a minimum requirement and would be a great starting point for anyone that hasn't configured EOS switches before. They are not exhaustive or a detailed description. If further information on any feature is required please reference the relevant config guides. It does contain some handy tips that may not have been thought of but are only recommendations and each situation may require additional analysis.
Environment
  • N-Series
  • S-Series
  • K-Series
  • Securestack
Procedure
  • GVRP configuration
    • Disable GVRP unless you have a specific requirement for it
      • set GVRP disable
  • Spanning Tree configuration
    • Spanning tree is enabled by default and will work correctly without any configuration when plugging new switches together 
    • leave it enabled unless you have a specific case that requires disabling (eg. point-to-point router connection)
    • The following are tuning recommendations:
    • Configure all edge ports to be Adminedge true so that user ports transition to the forwarding state immediately.
      • set spantree adminedge ge.1.11 true
    • Enable Spanguard globally - this setting will only operate on Adminedge configured ports and will protect against Spanning Tree Denial of Service (DoS) SpanGuard attacks as well as unintentional or unauthorized connected bridges, by intercepting received BPDUs on configured ports and locking these ports so they do not process any received packets.
      • set spantree spanguard {enable | disable}
    • Enable Loop Protect feature on all uplink ports to LP capable switches to prevent loop formation in your network by requiring ports to receive type 2 BPDUs (RSTP/MSTP) on point-to-point inter-switch links (ISLs) before their states are allowed to become forwarding.
      • set spantree lpcapablepartner port-string {true | false}
        set spantree lp port-string {enable | disable} [sid sid]
    • MSTP is the default spantree version and is recommended as this is backward compatible with other versions.
    • Configure 2 instances if there are blocked redundant links that could be utilised for load balancing.
      • set spantree mstcfgid cfgname name
        set spantree msti sid sid create
        set spantree mstmap fid [sid sid]
  • Configure movedaddtrap
    • Enable movedaddrtrap feature to provide notification of moving mac addresses to the syslog and console in the event of a loop.
      • set movedaddrtrap [port-string] {enable | disable}
        set movedaddrtrap enable
  • LACP configuration for link aggregation
    • LACP is enabled globally but disabled per port (on most current products).
    • Use the default dynamic lacp in most cases and simply configure the aadminkey to a fixed figure manually to control the association after reboot.
    • example config below is all that is needed to get a lag up if both ends run lacp
      • set lacp aadminkey lag.0.10 10
        set port lacp port ge.1.1 aadminkey 10
        set port lacp port ge.1.2 aadminkey 10
        set port lacp port ge.1.1-2 enable
    • Disable bridging on LAG physical member ports and restrict traffic forwarding only to the logical port configured.
      • set spantree portenable <port-list> disable
    • Consider whether the use of short timers is appropriate. The default timers for the lag are "long". The protocol transmits maintenance packets every 30 seconds. This means that the protocol will wait up to 3 X 30 seconds for a failure to occur if there is no link loss. "Short" timers send the protocol every second, and shorten the failover time to three seconds in the above circumstances. Using short timers is appropriate in environments where a link loss locally, such as a carrier loss from a media converter or a cable modem (channelizing connection), is not likely. In these cases, the protocol or secondary connections are not passing protocol or data, but because of a lack of link loss, the underlying ports are not removed from the LAG, and communication until the timer expires.
      • set port lacp port ge.1.1-2 aadminstate lacptimeout​
  • Prevent Flooding of certain L2 server  traffic
    • Consider using the "set mac multicast" command to prevent the flooding of server traffic if there are NLB load balanced servers accessed from the L2 switch. If user traffic consists of NLB this will be flooded on the network as unknown. The flooded traffic uses soft forwarding path, subject to it’s rate limiters, instead of the device hardware forwarding path. This traffic will also compete for the slow path resources and the first packets from other new flows. We need to configure the switch to take the hardware path and prevent the flooding so will need to be scoped by manually configuring a multicast mac and static arp. The article below describes how to do this:
  • Use the forcelinkdown feature to make sure ports that are administratively disabled actually have link down as well. By default the feature is disabled so enable using the below command.
    • set forcelinkdown {enable | disable}
  • Disable unused ports for security 
    • set port disable
  • Set an alias on the ports to help identify them during troubleshooting 
    • set port alias
  • Control broadcast levels on ports ( get a broadcast baseline first using an analyser )
    • set port broadcast
  • Configure logging to allow syslog information to be sent to console,  to file and to syslog server
    • set logging local console enable file enable sfile enable
      set logging server
  • Configure system parameters, name , location and login details
    • set system location
      set system name
      set system login
  • Configure prompt to allow identification of the system you are logged in to
    • set prompt
  • Use ssh for more secure remote access
    • set ssh enabled
      set telnet disable
  • Configure time functions 
    • set SNTP.
      set Timezone.
      set Summertime.
  • Configure SNMP management access 
    • Clear default SNMP settings for public and ro access.
    • Configure SNMPv3 credentials for more secure communication. The following article details how :
    • How to configure SNMP v3 on S/N/K/7100 Series
    • If configuring a Securestack product for use in a stack, consider statically configuring the SNMPv3 Engine ID. The reason for this is the Engine ID is based on the mac address of the current manager unit. If the manager were to change from one unit to another in the stack, SNMPv3 settings would need to be reset as the Engine ID would have changed. If the Engine ID is statically configured any subsequent manager would use what is in the stack configuration instead of their own default Engine ID. Use the commands below.
    • show snmp engineid 
      set snmp engineid <EngineID>

       
Additional notes
Note on feature support:

All of the features above are supported on N-Series, S-Series and K-Series
Securestack products support all of the features apart from Movedaddrtrap and  forcelinkdown.

Where can I find documentation for Extreme products?

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255